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Abstract 



The task of extracting an unsatisfiable core for a given Boolean formula has been finding more and 
more applications in recent years. The only existing approach that scales well for large real-world formu- 
las exploits the ability of modern SAT solvers to produce resolution refutations. However, the resulting 
unsatisfiable cores are suboptimal. We propose a new algorithm for minimal unsatisfiable core extrac- 
tion, based on a deeper exploration of resolution-refutation properties. We provide experimental results 
on formal verification benchmarks confirming that our algorithm finds smaller cores than suboptimal 
algorithms; and that it runs faster than those algorithms that guarantee minimality of the core. 

1 Introduction 

Many real-world problems, arising in formal verification of hardware and software, planning and other areas, 
can be formulated as constraint satisfaction problems, which can be translated into Boolean formulas in 
conjunctive normal form (CNF). Modern Boolean satisfiability (SAT) solvers, such as Chaff [1, 2] and Min- 
iS AT [3] , which implement enhanced versions of the Davis-Putnam-Longeman-Loveland (DPLL) backtrack- 
search algorithm, arc often able to determine whether a large formula is satisfiable or unsatisfiable. When 
a formula is unsatisfiable, it is often required to find an unsatisfiable core — that is, a small unsatisfiable 
subset of the formula's clauses. Example applications include functional verification of hardware [5], FPGA 
routing [6], and abstraction refinement [7]. For example, in FPGA routing, an unsatisfiable instance implies 
that the channel is unroutable. Localizing a small unsatisfiable core is necessary to determine the underlying 
reasons for the failure. An unsatisfiable core is a minimal unsatisfiable core (MUC), if it becomes satisfiable 
whenever any one of its clauses is removed. It is always desirable to find a minimal unsatisfiable core, but 
this problem is very hard (it is Uncomplete; see [4]). 
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In this paper, we propose an algorithm that is able to find a minimal unsatisfiable core for large "real- 
world" formulas. Benchmark families, arising in formal verification of hardware (such as [24]), are of particu- 
lar interest for us. The only approach for unsatisfiable core extraction that scales well for formal verification 
benchmarks was independently proposed in [17] and in [18]. We refer to this method as the EC (Empty- 
clause Cone) algorithm. EC exploits the ability of modern SAT solvers to produce a resolution refutation, 
given an unsatisfiable formula. Most state-of-the-art SAT solvers, beginning with GRASP [19] and including 
Chaff [1, 2] and MiniSAT [3], implement a DPLL backtrack search enhanced by a failure-driven assertion 
loop [19]. These solvers explore the assignment tree and create new conflict clauses at the leaves of the tree, 
using resolution on the initial clauses and previously created conflict clauses. This process stops when either 
a satisfying assignment is found or when the empty clause (□) is derived. In the latter case, SAT solvers 
are able to produce a resolution refutation — a directed acyclic graph (dag), whose vertices are associated 
with clauses, and whose edges describe resolution relations between clauses. The sources of the refutation 
are the initial clauses and the empty clause □ is a sink. EC traverses a reversed refutation, starting with 
□ and taking initial clauses, connected to □, as the unsatisfiable core. Invoking EC until a fixed point is 
reached [17] allows one to reduce the unsatisfiable core even more. We refer to this algorithm as EC-fp. 
However, the resulting cores can be reduced further. 

The basic flow of the algorithm for minimal unsatisfiable core extraction proposed in this paper is com- 
posed of the following steps: 

1. Produce a resolution refutation II of a given formula using a SAT solver. 

2. Drop from II all clauses not connected to □. At this point, all the initial clauses remaining in II 
comprise an unsatisfiable core. 

3. For every initial clause C remaining in II, check whether it belongs to a minimal unsatisfiable core 
(MUC) in the following manner: 

Remove C from II, along with all conflict clauses for which C was required to derive them. 
Pass all the remaining clauses (including conflict clauses) to a SAT solver. 

• If they are satisfiable, then C belongs to a minimal unsatisfiable core, so continue with 
another initial clause. 

• If the clauses are unsatisfiable, then C does not belong to a MUC, so replace II by a 
new valid resolution refutation not containing C . 

4. Terminate when all the initial clauses remaining in II comprise a MUC. 

Related work is discussed in the next section. Section 3 is dedicated to refutation-related definitions. 
Our basic Complete Resolution Refutation ( CRR) algorithm is described in Sect. 4, and a pruning technique, 
enhancing CRR and called Resolution Refutation-based Pruning (RRP), is described in Sect. 5. Experimental 
results are analyzed in Sect. 6. This is followed up by a brief conclusion. 

2 Related Work 

Algorithms for unsatisfiable core based on the ability of modern SAT solvers to produce resolution refuta- 
tions [17, 18] are the most relevant for our purposes for two reasons. First, this approach allows one to deal 
with real-world examples arising in formal verification. Second, it serves as the basis of our algorithm. We 
have already described the EC and EC-fp algorithms in the introduction. Here we briefly consider other 
approaches. 

Theoretical work (e.g., [8]) has concentrated on developing efficient algorithms for formulas with small 
deficiency (the number of clauses minus the number of variables). However, real- world formulas have arbi- 
trary (and usually large) deficiency. A number of works considered the harder problem of finding the smallest 
minimal unsatisfiable core [12, 14], or even finding all minimally unsatisfiable formulas [13]. As one can 
imagine, these algorithms are not scalable for even moderately large real-world formulas. 
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In [9, 10], an "adaptive core search" is applied for finding a small unsatisfiable core. The algorithm starts 
with a very small satisfiable subformula, consisting of hard clauses. The unsatisfiable core is built by an 
iterative process that expands or contracts the current core by a fixed percentage of clauses. The procedure 
succeeds in finding small, though not necessarily minimal, unsatisfiable cores for the problem instances it 
was tested on, but these are very small and artificially generated. 

Another approach that allows for finding small, but not necessarily minimal, unsatisfiable cores is called 
AMUSE [11]. In this approach, selector variables are added to each clause and the unsatisfiable core is 
found by a branch-and-bound algorithm on the updated formula. Selector variables allow the program to 
implicitly search for unsatisfiable cores using an enhanced version of DPLL on the updated formula. The 
authors note their methods ability to locate different unsatisfiable cores, as well as its inability to cope with 
large formulas. 

The above described algorithms do not guarantee minimality of the cores extracted. One folk algorithm 
for minimal unsatisfiable core extraction, which we dub Naive, works as follows: For every clause C in an 
unsatisfiable formula F, Naive checks if it belongs to the minimal unsatisfiable core, by invoking a SAT 
solver on F \ C. Clause C does not belong to MUC if and only if the solver finds that F \ C is unsatisfiable, 
in which case C is removed from F. In the end, F contains a minimal unsatisfiable core. 

The only non-trivial algorithm existing in the current literature that guarantees minimality is MUP [15]. 
MUP is mainly a prover of minimal unsatisfiability, as opposed to an unsatisfiable core extractor. It decides 
the minimal unsatisfiability of a CNF formula through BDD manipulation. When MUP is used as a core 
extractor, it removes one clause at a time until the remaining core is minimal. MUP is able to prove minimal 
unsatisfiability of some particularly hard classical problems quickly, whereas even just proving unsatisfiability 
is a challenge for modern SAT solvers. However, the formulas described in [15] are small and arise in areas 
other than formal verification. We will see in Section 6 that MUP is significantly outperformed by Naive on 
formal verification benchmarks. 

3 Resolution Refutations 

We begin with a resolution refutation of a given unsatisfiable formula, defined as follows: 

Definition 1 (Resolution refutation) Let F be an unsatisfiable CNF formula (set of clauses) and let 
U(V,E) be a dag whose vertices are clauses. 1 Suppose V = V 1 U V c , where V % are all the sources of H, 
referred to as initial clauses, and V c — C\ , . . . , C ? c „ is an ordered set of non-source vertices, referred to as 
conflict clauses. Then, the dag U(V, E) is a resolution refutation of F if: 

1. V 1 = F; 

2. for every conflict clause Cf, there exists a resolution derivation {-Di, £>2, ■ ■ ■ , Dk, Cf }, such that: 

(a) for every j = 1, . . . , k, Dj is either an initial clause or a prior conflict clause Cj, f < i, and 

(b) there are edges D\ — > Cf , . . . , Dk — ► Cf G E (these are the only edges in E); 

3. the sink vertex Cf n is the only empty clause in V. 

For the subsequent discussion, it will be helpful to capture the notion of vertices that are "reachable" , or 
"backward reachable" , from a given clause in a given dag. 

Definition 2 (Reachable vertices) Let U be a dag. A vertex D is reachable from C if there is a path (of 
or more edges) from C to D. The set of all vertices reachable from C in IT is denoted Re(U, C). The set 
of all vertices unreachable from C in II is denoted by i?e(IT, C) 

1 From now on, we shall use the terms "vertex" and "clause" interchangeably in the context of resolution refutation. 
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Definition 3 (Backward reachable vertices) Let II be a dag. A vertex D is backward reachable from 
C if there is a path ( of or more edges) from D to C . The set of all vertices backward reachable from C in II 
is denoted by BRe(U, C). The set of all vertices not backward reachable from C in II is denoted BRe(H, C). 

For example, consider the resolution refutation of Fig. 1. We have i?e(II, C|) = {C|, C£, Cf, Cf , Cg} and 
BRe{U,Ci) = {Ci,ClCi}. 

Resolution refutations trace all resolution derivations of conflict clauses, including the empty clause. 
Generally, not all clauses of a refutation are required to derive □, but only such that are backward reachable 
from □. It is not hard to see that even if all other clauses and related edges are omitted, the remaining 
graph is still a refutation. We refer to such refutations as non-redundant (see Definition 4). The refutation 
in Fig. 1 is non-redundant. 

To retrieve a non-redundant subgraph of a refutation, it is sufficient to take BRe(H, □) as the vertex set 
and to restrict the edge set E to edges having both ends in BRe(H, □). We denote a non-redundant subgraph 
of a refutation II by II \QJi e / n a y Observe that II t_g^e(n ™ is a valid non-redundant refutation. 

Definition 4 (Non-redundant resolution refutation) A resolution refutation II is non-redundant if 
there is a path in H from every clause to □. 

Lastly, we define a relative hardness of a resolution refutation. 

Definition 5 (Relative hardness) The relative hardness of a resolution refutation is the ratio between 
the total number of clauses and the number of initial clauses. 

4 The Complete Resolution Refutation (CRR) Algorithm 

Our goal is to find a minimal unsatisfiable core of a given unsatisfiable formula F. The proposed CRR 
method is displayed as Algorithm 1. 

Algorithm 1 (CRR). Returns a MUC, given an unsatisfiable formula F. 

1: Build a non-redundant refutation TL(V l U V c 7 E) 

2: while unmarked clauses exist in V % do 

3: C <— PickUnmarkedClause(V l ) 

4: Invoke a SAT solver on ~Re(U., C) 

5: if Re(U, C) is satisfiable then 

6: Mark C as a MUC member 

7: else 

8: Let G = Re{U, C) 

9: Build resolution refutation II'(Vg U V£, E G ) 
10: V 1 «- V 1 \ {C} 
11: V c <- (V c \Re{n,C)) UV£ 
12: E^- (E\Re E (Tl,C))UE G 

is: n(v< u v c , e) - n(v« u v c , e) \ BRw) 

14: return V 1 



First, CRR builds a non-redundant resolution refutation. Invoking a SAT solver for constructing a 
(possibly redundant) resolution refutation II(V r , E) and restricting it to II \BRe(n □) ^ s sufficient for this 
purpose. 

Suppose Ii(V % U V c , E) is a non-redundant refutation. CRR checks, for every unmarked clause C left in 
V 1 , whether C belongs to the minimal unsatisfiable core. Initially, all clauses are unmarked. At each stage 
of the algorithm, CRR maintains a valid refutation of F. 

Recall from Definition 2 that i?e(II, C) is the set of all vertices in II unreachable from C. By construction 
of II, the i?e(II, C) clauses were derived independently of C. To check whether C belongs to the minimal 
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unsatisfiable core, we provide the SAT solver with Re(Tl,C), including the conflict clauses. We are trying 
to complete the resolution refutation, not using C as one of the sources. Observe that □ is always reachable 
from C, since II is a non-redundant refutation; thus □ is never passed as an input to the SAT solver. We 
let the SAT solver try to derive □, using Re(U, C) as the input formula, or else prove that Re(H, C) is 
satisfiable. 

In the latter case, we conclude that C must belong to the minimal unsatisfiable core, since we found a 
model for an unsatisfiable subset of initial clauses minus C. Hence, if the SAT solver returns satisfiable, 
the algorithm marks C (line 6) and moves to the next initial clause. However, if the SAT solver returns 
unsatisfiable, we cannot simply remove C from F and move to the next clause, since we need to keep a valid 
resolution refutation for our algorithm to work properly. We describe the construction of a valid refutation 
(lines 8-13) next. 

Let G = Re(H, C). The SAT solver produces a new resolution refutation H'(V G U V g ,E g ) for G, whose 
sources are the clauses Re(Il, C). We cannot use n' as the refutation for the subsequent iterations, since 
the sources of the refutation may only be initial clauses of F. However, the "superfluous" sources of n' are 
conflict clauses of n, unreachable from C, and thus are derivable from V 1 \ C using resolution relations, 
corresponding to edges of n. Hence, it is sufficient to augment n' with such edges of n that connect V % \ C 
and Re(U, C) to obtain a valid refutation whose initial clauses belong to F. Algorithm CRR constructs 
a new refutation, whose sources are V 1 \ C; the conflict clauses are Re(U, C) U V G and the edges are 
(E \ (Vi, V 2 )\(Vi G Re(U,C) or V 2 G Re(U,C))) U E G . This new refutation might be redundant, since 
n'(Vg U V G ,E G ) is not guaranteed to be non-redundant. Therefore, prior to checking the next clause, we 
reduce the new refutation to a non-redundant one. Observe that in the process of reduction to a non- 
redundant subgraph, some of the initial clauses of F , may be omitted; hence, each time a clause C is found 
not to belong to the minimal unsatisfiable core, we potentially drop not only C, but also other clauses. 

We demonstrate the process of completing a refutation on the example from Fig. 1. Suppose we 
are checking whether C\ belongs to the minimal unsatisfiable core. In this case, G = Re(H, C\) = 
{C\,C\,C\,C\,C\,C\,C 2 ,C%\. The SAT solver receives G as the input formula. It is not hard to 
check that G is unsatisfiable. One refutation of G is U'(V G U V G ,E G ), where V G = {C|, Cj, Cj, C|}, 
V G ' = (Di - U,D 2 = aVb), and E G = {((%, D 2 ), (C 2 C , D 2 ), (D 2 , D 1 ), {C\, D x ), {C%, D 1 )}. Therefore, C\, 
C\, Cf , C% and related edges are excluded from the refutation of F, whereas D 2 , D\ and related edges are 
added to the refutation of F. In this case, the resulting refutation is non-redundant. 

We did not define how the function PickUnmarkedClause should pick clauses (line 3). Our current 
implementation picks clauses in the order in which clauses appear in the given formula. Development of 
sophisticated heuristics is left for future research. 

Another direction that may lead to a speed-up of CRR is adjusting the SAT solver for the purposes of 
CRR algorithm, considering that the SAT solver is invoked thousands of times on rather easy instances. 
Integrating the data structures of CRR and the SAT solver, tuning SAT solver's heuristics for CRR, and 
holding the refutation in-memory, rather than on disk (as suggested in [17] for EC), can be helpful. 

5 Resolution-Refutation-Based Pruning 

In this section, we propose an enhancement of Algorithm CRR by developing resolution refutation-based 
pruning techniques for when a SAT solver invoked on Re(H, C) to check whether it is possible to complete 
a refutation without C. We refer to the pruning technique, proposed in this section, Resolution Refutation- 
based Pruning (RRP). We presume that the reader is familiar with the functionality of a modern SAT solver. 
(An overview is given in [20].) 

An assignment a falsifies a clause C, if every literal of C is false under a. An assignment a falsifies a 
set of clauses P if every clause C G P is falsified by a. We claim that a model for Re(H, C) can only be 
found under such a partial assignment that falsifies every clause in some path from C to the empty clause in 
Re(U, C). The intuitive reason is that every other partial assignment satisfies C and must falsify Re(Il, C), 
since F is unsatisfiable. A formal statement and proof is provided in Theorem 1 below. 

Consider the example of Fig. 1. Suppose the currently visited clause is C\. There exist two paths from 
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Figure 1: Resolution refutation example 



C\ to the empty clause Q, namely {C|, C|, Cf } and {C*, C 2 C , Cg, Cf }. A model for i?e(II, Cj) can only be 
found in a subspace under the partial assignment {a = 1, c = 0}, falsifying all the clauses of the first path. 
The clauses of the second path cannot be falsified, since a must be true to falsify clause C\ and false to 
falsify clause C3. 

Denote a subtree connecting C and □ by II \c- The proposed pruning technique, RRP, is integrated into 
the decision engine of the SAT solver. The solver receives II \c, together with the input formula Re(H,C). 
The decision engine of the SAT solver explores II \c in a depth-first manner, picking unassigncd variables 
in the currently explored path as decision variables and assigning them false. As usual, Boolean Constraint 
Propagation (BCP) follows each assignment. Backtracking in n \c is tightly related to backtracking in the 
assignment space. Both happen when a satisfied clause in II \c is found or when a new conflict clause is 
discovered during BCP. After a particular path in II \c has been falsified, a general-purpose decision heuristic 
is used until the SAT solver either finds a satisfying assignment or proves that no such assignment can be 
found under the currently explored path. This process continues until either a model is found or the decision 
engine has completed exploring II \q. In the latter case, one can be sure that no model for Re(Tl, C) exists. 
However, the SAT solver should continue its work to produce a refutation. 

We need to describe in greater detail the changes in the decision and conflict analysis engines of the SAT 
solver required to implement RRP. The decision engine first invokes function RRP_Decide, depicted in Fig. 2, 
as a state transition relation. Each transition edge has a label consisting of a condition under which the 
state transition occurs and an operation, executed upon transition. The state can be one of the following: 



The states are managed globally, that is, if RRP_Decide moves to state S, it will start in state S when 
invoked next. A pointer D to the currently visited clause of n \c is also managed globally. The state 



(Norm) 

(Sat) 

(False) 

(EoT) 

(EoF) 



normal; 

the currently explored clause is satisfied; 

the currently explored clause is falsified; 

subgraph II \c has been explored; 

all clauses in the currently explored path are falsified. 
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D is not satisfied nor falsified / Return an unassigned literal 



/ \ 




Figure 2: Function RRP .Decide, represented as a transition relation. This function is invoked by the decision 
engine of a SAT solver, implementing the RRP pruning technique. 

transition relation is initialized prior to the first invocation of the decision engine. Pointer D is initialized 
to C and the initial state is Norm. 

State Norm corresponds to a situation when the algorithm does not know what the status of D is. If 
D is neither satisfied nor falsified, RRP_Decide returns a negation of some literal of D, which will serve as 
the next decision variable. If D is satisfied, the algorithm moves to Sat. Observe that a clause may become 
satisfied only as a result of BCP. Encountering a satisfied clause means that the currently explored path 
cannot be falsified, and we can backtrack. Suppose we are in Sat, meaning that D is satisfied. If D has a 
parent, the algorithm backtracks by moving D to point to its parent, and goes back to Norm; otherwise, 
the tree is explored and the algorithm moves to EoT. In this case, RRP-Decide returns an unknown value 
and a general-purpose heuristic must be used. Consider now the case when the state is Norm and D is 
falsified. The algorithm moves to False. Here, one of the three conditions hold: 

(a) D has an unvisited child 5*. In this case D is updated to point to S and RRP-Decide moves back to 
Norm. 

(b) All children of D are visited. In this case, we backtrack by moving D back to its parent and go back 
to Norm. 

(c) D has no children. In this case, all the clauses in the currently explored path are falsified. The 
algorithm moves to EoF; RRP_Decide returns an unknown value; and a general-purpose heuristic 
must be used. 

To complete the picture, we describe the changes to the conflict analysis engine required to implement 
RRP. One of the main tasks of conflict analysis in modern SAT solvers is to decide to which level in the 
decision tree the algorithm should backtrack. Let this decision level be bl. When invoked in RRP mode, 
the conflict analysis engine must also find whether it is required to backtrack in H\c, and to which clause. 
The goal is to backtrack to the highest clause B in the currently explored path in II \c, such that B has 
unassigned literals. Recall that D is a pointer to the currently visited clause of II \c- Denote by mdl(D) the 
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Table 1: Comparing algorithms for unsatisfiable core extraction. Columns Instance, Var and Cls contain 
instance name, number of variables, and clauses, respectively. The next seven columns contain execution 
times (in seconds) and core sizes (in number of clauses) for each algorithm. The cut-off time was 24 hours 
(86,400 sec). Column Rel. Hard, contains the relative hardness of the final resolution refutation, produced 
by CRR+RRP. Bold times are the best among algorithms guaranteeing minimality. 
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6784 
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8 


121 
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3651 


15112 


time-out 


time-out 


1.5 






79489 


24501 


17149 


17052 


17078 


17077 








5pipc_k 
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16 


169 


13836 


17910 


83402 


time-out 


mem-out 


1.4 
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47066 


36571 


36270 


36296 


36370 








barrcl5 


1407 




2 


19 


93 


86 


406 


326 


mem-out 


1.8 






5383 


3389 


3014 


2653 


2653 


2653 


2653 






barrcW 


2306 




35 


322 


351 


423 


4099 


4173 


mem-out 


1.8 






8931 


6151 


5033 


4437 


4437 


4437 


4437 






barrcl7 


3523 




124 


1154 


970 


1155 


6213 


24875 


mem-out 


1.9 






13765 


9252 


7135 


6879 


6877 


6877 


6877 
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9660 


2509 


2859 


time-out 


time-out 


mem-out 


1.8 






20083 


14416 


11249 


10076 
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1966 
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7 


109 


152 


13 
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6069 


1247 


1246 


972 


972 


972 


976 


972 
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2397 
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74 


31 


196 


463 


35 


3.6 






7431 


1847 


1713 


1518 


1518 


1518 


1528 


1518 




longmult6 


2848 




2 


13 


288 


311 


749 


2911 


5084 


5.6 






8853 


2639 


2579 


2187 


2187 


2187 


2191 


2187 




longmult7 


3319 




17 


91 


6217 


3076 


6154 


32791 


68016 


14.2 






10335 


3723 


3429 


2979 


2979 


2979 


2993 


2979 





maximal decision level of D's literals. If bl > mdl(D), the algorithm does nothing; otherwise, it finds the 
first predecessor of D in II \c, such that bl < mdl(B) and sets D <— B. 

We found experimentally that the optimal performance for RRP is achieved when it explores II \c starting 
from □ toward C (and not vice- versa). In other words, prior to the search, the SAT solver reverses all the 
edges of II \c and sets the pointer D to □, rather than to C. (By default, the current version of RRP 
explores the graph only until a predefined depth of 50.) The next literal from the currently visited clause is 
chosen by preferring an unassigned literal with the maximal number of appearances in recent conflict clause 
derivations (similar to Berkmin's [21] heuristic for SAT). The next visited child is chosen arbitrary. Further 
tuning of the algorithm is left for future research. 

Theorem 1 Let n(V J , V c ) be a non-redundant resolution refutation. Let C 6 V 1 be an initial clause and a 
be an assignment. Then, if a \= Re(H, C), there is a path P = {C, . . . , C^} in i?e(IT, C), connecting C to 
the empty clause 2 , such that a falsifies every clause in P. 

Proof. Suppose, on the contrary, that no such path exists. Then, there exists a satisfiable vertex cut U in 
Id. But the empty clause is derivable from U, since it is a vertex cut; thus U unsatisfiable, a contradiction. 
□ 

2 The empty clause always belongs to Re(Jl, C), since V c ) is non-rcdundant. 
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6 Experimental Results 



We have implemented CRR and RRP in the framework of the VE solver. VE, a variant of the industrial 
solver Eureka, is a modern SAT solver, which implements the following state-of-the-art algorithms and tech- 
niques for SAT: it uses 1UIP conflict clause recording [1], enhanced by conflict clause minimization [22], 
frequent search restarts [21, 2], an aggressive clause deletion strategy [21, 2], and decision stack shrink- 
ing [20, 2]. VE uses Berkmin's decision heuristic [21] until 4000 conflicts are detected, and then switches 
to the CBH heuristic, described in [23]. We used benchmarks from four well-known unsatisfiable families, 
taken from bounded model checking (barrel, longmult) [25] and microprocessor verification (fvp-unsat.2.0, 
pipe_unsat_1.0) [24]. All the instances we used appear in the first column of Table 1. The experiments on 
families barrel and fvp-unsat.2.0 were carried out on a machine with 4Gb of memory and two Intel Xcon 
CPU 3.06 processors. A machine with the same amount of memory and two Intel Xcon CPU 3.20 processors 
was used for experiments with the families longmult and pipe-unsat_1.0. 

Table 1 summarizes the results of a comparison of the performance of two algorithms for suboptimal un- 
satisfiable core extraction and five algorithms for minimal unsatisfiable core extraction in terms of execution 
time and core sizes. 

First, we compare algorithms for minimal unsatisfiable core extraction, namely, Naive, MUP, plain CRR, 
and CRR enhanced by RRP. In preliminary experiments, we found that Naive demonstrates its best perfor- 
mance on formulas that are first trimmed down by a suboptimal algorithm for unsatisfiable core extraction. 
We tried Naive in combination with EC, EC-fp and AMUSE and found that EC-fp is the best front-end for 
Naive. In our main experiments, we used Naive, combined with EC-fp, and Naive combined with AMUSE. 
We have also found that MUP demonstrates its best performance when combined with EC-fp, while CRR 
performs the best when the first refutation is constructed by EC, rather than EC-fp. Consequently, we 
provide results for MUP combined with EC-fp and CRR combined with EC. MUP requires a so-called "de- 
composition tree", in addition to the CNF formula. We used the c2d package [?] for decomposition tree 
construction. 

The sizes of the cores do not vary much between MUC algorithms, so we concentrate on a performance 
comparison. One can see that the combination of EC-fp and Naive outperforms the combination of AMUSE 
and Naive, as well as MUP. Plain CRR outperforms Naive on every benchmark, whereas CRR+RRP out- 
performs Naive on 15 out of 16 benchmarks (the exception being the hardest instance of longmult). This 
demonstrates that our algorithms are justified practically. Usually, the speed-up of these algorithms over 
Naive varies between 4 and lOx, but it can be as large as 34x (for the hardest instance of barrel family) and 
as small as 2x (for the hardest instance of longmult). RRP improves performance on most instances. The 
most significant speed-up of RRP is about 2.5x, achieved on hard instances of Family fvp-unsat.2.0. The 
only family for which RRP is usually unhelpful is longmult. 

A natural question is why the complex instances of family longmult are hard for CRR, and even harder 
for RRP. The key difference between longmult and other families is the hardness of the resolution proof. The 
relative hardness of a resolution refutation produced by CRR+RRP varies between 1.4 to 2 for every instance 
of every family, except longmult, where it reaches 14.2 for the longmult7 instance. When the refutation is too 
complex, the exploration of i?e(II, C) executed by RRP is too complicated; thus, plain CRR is advantageous 
over CRR+RRP. Also, when the refutation is too complex, it is costly to perform traversal operations, as 
required by CRR. This explains why the advantage of CRR over Naive is as small as 2X. 

Comparing CRR+RRP on one side and EC and EC-fp on the other, we find that CRR+RRP always 
produce smaller cores than both EC and EC-fp. The average gain on all instances of cores produced by 
CRR+RRP over cores produced by EC and EC-fp is 53% and 11%, respectively. The biggest average gain 
of CRR+RRP over EC-fp is achieved on Families fvp-unsat.2.0 and longmult (18% and 17%, respectively). 
Unsurprisingly, both EC and EC-fp are usually much faster than CRR+RRP. However, on the three hardest 
instances of the barrel family, CRR+RRP outperforms EC-fp in terms of execution time. 
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7 Conclusions 

We have proposed an algorithm for minimal unsatisfiable core extraction. It builds a resolution refutation 
using a SAT solver and finds a first approximation of a minimal unsatisfiable core. Then it checks, for every 
remaining initial clause C, if it belongs to the minimal unsatisfiable core. The algorithm reuses conflict 
clauses and resolution relations throughout its execution. We have demonstrated that our algorithm is faster 
than currently existing algorithms by a factor of 6 or more on large problems with non-overly hard resolution 
proofs, and that it can find minimal unsatisfiable cores for real-world formal verification benchmarks. 
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